Yeah, good catch Chris! I’d be interested in seeing some field data as well. The only info I saw was that it changed every 24 hours, but it sounds like there’s a * which indicates inactivity / not associated.
It makes much more sense that it wouldn’t change if the device maintains an active connection as there are really no privacy concerns until the device disconnects and moves. tim From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Tuesday, July 21, 2020 at 13:15 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Tim had mentioned the following: “On iOS 14, the MAC is set per ESSID and is changed once every 24 hours.” Chris then mentioned that he found one iOS 14 device that, as long as it remains connected, the MAC remains the same, even beyond 24hrs. Has anyone else done testing? Please share your results. Hector Rios, Wireless Network Architect The University of Texas at Austin From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Johnson, Christopher Sent: Monday, July 20, 2020 10:19 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Default behavior matters indeed. Got a preview of what to expect over the weekend. Found one individual that was in Aruba Airwave “12 Times” for their iPhone 14.0 over past couple of weeks and another “6 times”. It appears that as long as the device remains “connected” to the network beyond the 24 hours, the MAC Address will remain the same. Although if they’re fully de-authenticated or move say into an elevator or outside (or a class phone reboot occurs in the pocket) – then the MAC Address will update upon establishing a new connection – that is just the initial observation I saw. Christopher Johnson Wireless Network Engineer Office of Technology Solutions | Illinois State University (309) 438-8444 Stay connected with ISU IT news and tips with @ISU IT Help on Facebook<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FISUITHelp%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473827397&sdata=FGJLeAaYuQi53K0C3dSVpVbg7exX195P4eSHJJGLjUU%3D&reserved=0> and Twitter<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FISUITHelp&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473837398&sdata=bC3HH3eN2hDSeTLdAbF9%2Fwgs286voXLDLZXX1VuSlxk%3D&reserved=0> From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Enfield, Chuck Sent: Tuesday, July 14, 2020 12:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... [This message came from an external source. If suspicious, report to ab...@ilstu.edu<mailto:ab...@ilstu.edu>] True, but default behavior matters. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Rios, Hector J Sent: Tuesday, July 14, 2020 1:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Please note that MAC randomization is not just a feature of Android and iOS. It is supported across other operating systems. Hector Rios, Wireless Network Architect The University of Texas at Austin From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jonathan Miller Sent: Tuesday, July 14, 2020 11:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... For those of us using ClearPass to authenticate users to eduroam, does this mean that every iOS device will get registered as a new endpoint every day? For others, does your NAC store a client's MAC persistently? I'm assuming that the answer to both is yes. How can we plan for the impact of that on our databases? Should we delete all iOS and Android devices after 48 hours? Am I missing something obvious? Jonathan Miller Senior Network Analyst Franklin and Marshall College On Fri, Jul 10, 2020 at 4:37 PM Enfield, Chuck <cae...@psu.edu<mailto:cae...@psu.edu>> wrote: PS – My plan for supporting our guest network will be to tell any user who contacts us with an Apple device that the network is fine and they should contact Apple for device support. I can’t get away with that for our enterprise network, but Apple is going to own the guest problem. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Enfield, Chuck Sent: Friday, July 10, 2020 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... My point wasn’t to debate Passpoint either. I’m wondering if Apple actually has a plan, and if so, if they’ve bothered to tell anybody. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Friday, July 10, 2020 4:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Passpoint is not just about mobile network operators. Any identity provider can provision a Passpoint profile. That is the whole drive behind OpenRoaming. The industry goal is that every user has at least 2 Passpoint profiles on their devices: one tied to their enterprise/school identity and the other tied to a personal identity. The traditional enterprise/school onboarding process stays largely the same, except some additional Passpoint logic is added. Mobile network operators / cell providers are only one (optional) piece of the puzzle. Probably should start a separate thread for anything deeper on Passpoint beyond it being a solution for network access. Don’t want to take away from the OG conversation. tim From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, July 10, 2020 at 16:17 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Understood, but few Wi-Fi operators actually support Passpoint on their networks. Since Apple is eliminating the alternatives, they either must be idiots (my bet) or have a proposal for what we should all being doing instead. I still get really confused looks when I try to discuss Passpoint with my contacts at the major cellular providers, so it can’t possibly be a realistic option for most of us. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Friday, July 10, 2020 4:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Not sure I follow. Passpoint is an industry-wide solution for secure Wi-Fi roaming. Passpoint has been supported on iOS and macOS (along with Windows and Android) for a number of years. I definitely don’t follow this comment: “you can’t onboard your Apple to enable identity-based auth.” tim From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, July 10, 2020 at 16:04 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... So you can’t use an Apple MAC address for guest auth, and you can’t onboard your Apple to enable identity-based auth. Apple must be thinking that they can drag the entire world, kicking and screaming, into federated authentication that Apple products ship knowing how to do (Passpoint, openroaming, etc.). Do they have a proposal for this that I missed? From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Rios, Hector J Sent: Friday, July 10, 2020 2:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] MAC Randomization, a step further... Apple is moving forward with their privacy efforts. The next step is to randomize MAC addresses when connecting to an AP, not just when probing. This is coming soon. https://globalreachtech.com/blog-mac-randomisation-apple/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fglobalreachtech.com%2Fblog-mac-randomisation-apple%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473837398&sdata=%2B0Gb16K4pvn9offguMbuJRStFLgHN5zdvpeK1yoeqsQ%3D&reserved=0> This is from Apple. Luckily, there is a way to disable private addresses. I just don’t know if it will be ON by default. https://support.apple.com/en-qa/HT211227<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.apple.com%2Fen-qa%2FHT211227&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473847382&sdata=sIohYcEWP0lZ6Y6b6SqZGHjHdz%2F6KD92yQ91qyFloqY%3D&reserved=0> Happy Friday! Hector Rios, Wireless Network Architect The University of Texas at Austin ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473847382&sdata=OrHSLwqSIZfYADl%2FaFqf3AGo%2FS%2B8djtDzA2bP8CzLbo%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473857378&sdata=s2%2BNkShazx11qvNREbqIBxnICGxgwI6HggUcCA41svM%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473857378&sdata=s2%2BNkShazx11qvNREbqIBxnICGxgwI6HggUcCA41svM%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473867371&sdata=diTPQqOcLEDWqALJd9IUOlToBw%2FYNvxVrBgugkuRpsE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473867371&sdata=diTPQqOcLEDWqALJd9IUOlToBw%2FYNvxVrBgugkuRpsE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473877364&sdata=yiltYxLVWE1lJQa%2FBj2g%2Bg4pJT5ogIwBfiWHghutGWo%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473877364&sdata=yiltYxLVWE1lJQa%2FBj2g%2Bg4pJT5ogIwBfiWHghutGWo%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473887360&sdata=XCfR4RdqzO%2BU6KOlCrqrxjL7erEAtGdbGBI4j5gyl%2Bc%3D&reserved=0> This message is from an external sender. Learn more about why this matters.<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fut.service-now.com%2Fsp%3Fid%3Dkb_article%26number%3DKB0011401&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473887360&sdata=bD8FCz7huAj4y34UjNvNelu6w7QybPZMgd5gu%2FJXeCc%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473897353&sdata=0mVYaZp8GZb%2BZq25vjmH1gXfdAW9xYejLq8aHoeX648%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473897353&sdata=0mVYaZp8GZb%2BZq25vjmH1gXfdAW9xYejLq8aHoeX648%3D&reserved=0> This message is from an external sender. Learn more about why this matters.<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fut.service-now.com%2Fsp%3Fid%3Dkb_article%26number%3DKB0011401&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473907351&sdata=zi%2FYGTGgDQxIivmPgbOssv8voVEwF52tQvP0NsxpkvQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473907351&sdata=AdgB04t6MUmu5vyL25E4tMPi2hg%2FGmN9zacMMk7ahRA%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473917343&sdata=bkBydqZVXagMhdYDl0PnRboaFQ6TiGl5sq7wXOFnFxM%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
